gentoo auto-resync : 29:09:2023 - 17:37:53

author: V3n3RiX <venerix@koprulu.sector> 2023-09-29 17:37:53 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2023-09-29 17:37:53 +0100
commit: ca2977e80c0b29d0e6ce6ff178b6e0043442262b (patch)
tree: c5285532adb7e0d3cec1f7e04c2cfb49e8f1575f /metadata/glsa
parent: 172f211c978ad5a44d673a147d1db4bb4677d60d (diff)
9 files changed, 232 insertions, 17 deletions
diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index dece5d71dadc..c5e18223a0cf 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 547709 BLAKE2B d36b5eab46802d38f5dc159e9f03149513662c9854aa62da883429961b68edb038ebef040f517863c136ecc51899290cd74c9087529037a37efe40ec65601123 SHA512 76b4b80b9d0d4cbbcdde748628052fa922c089cce8eb0edfc47cfa2875923af79393a7f6b07917b9aa64c2c7d7d6fbdc509c10b177b9df02314011f74f4f5b95
-TIMESTAMP 2023-09-29T10:10:03Z
+MANIFEST Manifest.files.gz 548500 BLAKE2B d69c37d2e4e1895a076d1d7359c4b2e9ee1bb29bb132e37c5ebbfec54a414dbebe9f37903f835edd21f36c623a99ace2c24c3147d42057a99fd505bd8a1bc7a6 SHA512 5962e8d7b50c6e11e00b4f0217a7e22066dddd2df564ff9e7effe3a4f06f99abd73934a610fab81ed6e3d4849a4e2fc942054d55562e1f299eb9fce8ded836cf
+TIMESTAMP 2023-09-29T16:10:11Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmUWontfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmUW9uNfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klBOtxAAodmGTvzvmwCcm0LNOQWN8cgyk2rUSf6knyeoReDJlAH8IhHqwFLIeJzN
-2zFitFhWQ0Y5jLkQ2rkvt5O9XAPe27HMJIE55x4roa9+iyUSTFZHkQQcIQusU4aP
-1Y9D1TPJY18kPJ1+QnsiQYK9xm/CTS4h54e4mKow4rcMQbXtZqmtmrWOfG0rE7sW
-HrrpM5fAnFhinnCFUCIEXEYqCrm+F3rfOJIZwWkeFbFisR9OVOy2Xdm56r69S0Qt
-e+HBSxBQfKoptS0fNkHuFTQ5nwNGwqQQcGC93Gbl6y1KwYaB7UFWbC13Fg8pS3tI
-POdtsVb2LdsIb6UZ1A2LUKXP6CMYlOo2Q2D5IHTPgcqX1/oYGNDUgdNNMc7cwVU1
-rhYX7ybt4Y/Auf6hrolLPB9x4eyVDpg9ZDWyAjRdl1dBEtFvexQ79M+vkBElqZum
-RdBPxYCSTi6956OKGLLGJMG3ZMyOXjBBq3JMivF+7O/opFqhnmqJoKjc6p1DULqu
-ZZjPNvCkcdMeCd4TPLX5FR3yY2Y6JgvBCj0/kBmxr5IVoTFerOrWWTV5GxOaKMYM
-UDhW8RfaeAaaAA0wbp9yznZoPoBxdbtTqgF4clWNAmpNFjYCufn83udgsWkBEXjh
-ZeShPJ/nLVRAlb9EJS9in8JPmMgdB++8Jw3x8xSKcYYZVNuLcSY=
-=+V0X
+klABqBAAo9rvtMiIhmVMNeJLYFWyaM/QDAskYST0zgmyGAoKMlcgv2bpuNIfi/3q
+xZeuOYqUgBmtS7yo0rAFNZEjqS3SoKesmwGz0OEMovS3OnODgvk/Yw9NT25datVY
+j6tQ5bjBMB6ueZcVtt/mVjYiTa3nx8Ekf4yduI6LKQFKwpIbDD8SszvPL5ECkEZs
+d/5HgxBxCblEYamkkofydVwxHHM3DB4miYkOFc1vbNHrRg8EvH/ZcIip0eyh45mV
+lFXSkFsn3601PZe4TYxEBdb6XHyfympJ8XLdO9nlFon8Q53HRqvGwJYvMPccBUVn
+RBIRRNK9TI9XjR/rC9Q4L/XOO7py2FCun3yQVTU8Wmy4u/C5cGtc/fiF5SN0CQrQ
+pLwXR7C9zZRKDJsPmAm6MsUzXxFZxQyK1NHTAdLIeJbdg82SnSJJunvgT1U6NIZN
+72JKs8PC92axIC39w4rHCg8u5pszP3sFWxJNERR21U14GvOZLxAJblw5dFvQ7X/K
+xkxBwQcGtbvcP5/soSZBGlaPb9tQGR9rxYGOC9OLZmSEUjtGlnBT5wSNk8N2kmHJ
+Di34bU4xrJezO4oxOrqp3Iy+G7t44k7CHFKdetjV/iG8H+qGOHypnx4J40QMrBw+
+c8QecGR21Xgna8hbhkF+3gxDpPzkDFNVdq5KC6Or2J9aO8LQyUQ=
+=dx9B
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index b0d4956e2ece..98277cf32d3a 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202309-10.xml b/metadata/glsa/glsa-202309-10.xml
new file mode 100644
index 000000000000..ab90f225c850
--- /dev/null
+++ b/metadata/glsa/glsa-202309-10.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202309-10">
+    <title>Fish: User-assisted execution of arbitrary code</title>
+    <synopsis>A vulnerability was discovered in Fish when handling git repository configuration that may lead to execution of arbitrary code</synopsis>
+    <product type="ebuild">fish</product>
+    <announced>2023-09-29</announced>
+    <revised count="1">2023-09-29</revised>
+    <bug>835337</bug>
+    <access>local</access>
+    <affected>
+        <package name="app-shells/fish" auto="yes" arch="*">
+            <unaffected range="ge">3.4.0</unaffected>
+            <vulnerable range="lt">3.4.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Smart and user-friendly command line shell for macOS, Linux, and the rest of the family. It includes features like syntax highlighting, autosuggest-as-you-type, and fancy tab completions that just work, with no configuration required.</p>
+    </background>
+    <description>
+        <p>A vulnerability have been discovered in Fish. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>A user may be enticed to cd into a git repository under control by an attacker (e.g. on a shared filesystem or by unpacking an archive) and execute arbitrary commands.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All fish users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-shells/fish-3.4.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20001">CVE-2022-20001</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-09-29T10:53:27.976806Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-09-29T10:53:27.979954Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202309-11.xml b/metadata/glsa/glsa-202309-11.xml
new file mode 100644
index 000000000000..91f9f39a8d3f
--- /dev/null
+++ b/metadata/glsa/glsa-202309-11.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202309-11">
+    <title>libsndfile: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been found in libsndfile, the worst of which could result in arbitrary code execution.</synopsis>
+    <product type="ebuild">libsndfile</product>
+    <announced>2023-09-29</announced>
+    <revised count="1">2023-09-29</revised>
+    <bug>803065</bug>
+    <access>remote</access>
+    <affected>
+        <package name="media-libs/libsndfile" auto="yes" arch="*">
+            <unaffected range="ge">1.1.0</unaffected>
+            <vulnerable range="lt">1.1.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>libsndfile is a C library for reading and writing files containing sampled sound.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in libsndfile. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All libsndfile users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.1.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3246">CVE-2021-3246</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4156">CVE-2021-4156</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-09-29T11:28:49.377032Z">ajak</metadata>
+    <metadata tag="submitter" timestamp="2023-09-29T11:28:49.380908Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202309-12.xml b/metadata/glsa/glsa-202309-12.xml
new file mode 100644
index 000000000000..95404c8496d5
--- /dev/null
+++ b/metadata/glsa/glsa-202309-12.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202309-12">
+    <title>sudo: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been found in sudo, the worst of which can result in root privilege escalation.</synopsis>
+    <product type="ebuild">sudo</product>
+    <announced>2023-09-29</announced>
+    <revised count="1">2023-09-29</revised>
+    <bug>898510</bug>
+    <bug>905322</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-admin/sudo" auto="yes" arch="*">
+            <unaffected range="ge">1.9.13_p2</unaffected>
+            <vulnerable range="lt">1.9.13_p2</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>sudo allows a system administrator to give users the ability to run commands as other users.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in sudo. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All sudo users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.13_p2"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27320">CVE-2023-27320</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28486">CVE-2023-28486</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28487">CVE-2023-28487</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-09-29T12:15:42.245017Z">ajak</metadata>
+    <metadata tag="submitter" timestamp="2023-09-29T12:15:42.248484Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202309-13.xml b/metadata/glsa/glsa-202309-13.xml
new file mode 100644
index 000000000000..c9a01015913d
--- /dev/null
+++ b/metadata/glsa/glsa-202309-13.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202309-13">
+    <title>GMP: Buffer Overflow Vulnerability</title>
+    <synopsis>A buffer overflow vulnerability has been found in GMP which could result in denial of service.</synopsis>
+    <product type="ebuild">gmp</product>
+    <announced>2023-09-29</announced>
+    <revised count="1">2023-09-29</revised>
+    <bug>823804</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-libs/gmp" auto="yes" arch="*">
+            <unaffected range="ge">6.2.1-r2</unaffected>
+            <vulnerable range="lt">6.2.1-r2</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>The GNU Multiple Precision Arithmetic Library is a library forarbitrary-precision arithmetic on different types of numbers.</p>
+    </background>
+    <description>
+        <p>There is an integer overflow leading to a buffer overflow when processing untrusted input via GMP&#39;s mpz_inp_raw function.</p>
+    </description>
+    <impact type="normal">
+        <p>Untrusted input can cause a denial of service via segmentation fault.</p>
+    </impact>
+    <workaround>
+        <p>Users can ensure no untrusted input is passed into GMP&#39;s mpz_inp_raw function.</p>
+    </workaround>
+    <resolution>
+        <p>All GMP users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-libs/gmp-6.2.1-r2"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43618">CVE-2021-43618</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-09-29T13:02:07.835979Z">ajak</metadata>
+    <metadata tag="submitter" timestamp="2023-09-29T13:02:07.839044Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/glsa-202309-14.xml b/metadata/glsa/glsa-202309-14.xml
new file mode 100644
index 000000000000..c9c519077013
--- /dev/null
+++ b/metadata/glsa/glsa-202309-14.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202309-14">
+    <title>libarchive: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service.</synopsis>
+    <product type="ebuild">libarchive</product>
+    <announced>2023-09-29</announced>
+    <revised count="1">2023-09-29</revised>
+    <bug>882521</bug>
+    <bug>911486</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-arch/libarchive" auto="yes" arch="*">
+            <unaffected range="ge">3.7.1</unaffected>
+            <vulnerable range="lt">3.7.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>libarchive is a library for manipulating different streaming archive formats, including certain tar variants, several cpio formats, and both BSD and GNU ar variants.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in libarchive. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All libarchive users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.7.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36227">CVE-2022-36227</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-09-29T13:38:51.852767Z">ajak</metadata>
+    <metadata tag="submitter" timestamp="2023-09-29T13:38:51.855730Z">graaff</metadata>
+</glsa>
+\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index b30c199fa4e1..564b12c6c439 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Fri, 29 Sep 2023 10:10:00 +0000
+Fri, 29 Sep 2023 16:10:06 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index 69c6e9226e17..dd18748ab966 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-1879b11c680b5a942bb283d62aff5b3aa0b78304 1695976656 2023-09-29T08:37:36+00:00
+e05346e205e470b799ae6c0dafb506d6aa1cdae8 1695994770 2023-09-29T13:39:30+00:00
author	V3n3RiX <venerix@koprulu.sector>	2023-09-29 17:37:53 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2023-09-29 17:37:53 +0100
commit	ca2977e80c0b29d0e6ce6ff178b6e0043442262b (patch)
tree	c5285532adb7e0d3cec1f7e04c2cfb49e8f1575f /metadata/glsa
parent	172f211c978ad5a44d673a147d1db4bb4677d60d (diff)